Aaron M. Ucko
2007-Aug-30 00:27 UTC
[Logcheck-devel] Bug#440123: ignore.d.server/logcheck: please update for pam 0.99+
Package: logcheck-database Version: 1.2.60 Severity: normal File: /etc/logcheck/ignore.d.server/logcheck The recent pam upgrade in unstable introduced a new message format; could you please update the patterns in ignore.d.server/logcheck accordingly? Specifically, could you please add the following two lines (modeled after the current first two lines)? ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session opened for user [.[:alnum:]-]+ by (root|LOGIN)?\(uid=0\)$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session closed for user [.[:alnum:]-]+$ Thanks! -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.22.1 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- debconf information: logcheck-database/rules-directories-note: logcheck-database/standard-rename-note: logcheck-database/conffile-cleanup: false
Aaron M. Ucko
2007-Aug-30 16:01 UTC
[Logcheck-devel] Bug#440123: ignore.d.server/logcheck: please update for pam 0.99+
Upon closer inspection, a number of other files also contain old PAM patterns; could you please update them as well? # fgrep -nH -e '\(pam_' /etc/logcheck/*/* /etc/logcheck/ignore.d.paranoid/cron:7:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$ /etc/logcheck/ignore.d.paranoid/cron:8:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: \(pam_[[:alnum:]]+\) session closed for user [[:alnum:]-]+$ /etc/logcheck/ignore.d.paranoid/ssh:1:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user [^[:space:]]+ by ([[:alnum:]-]+)?\(uid=[0-9]+\)$ /etc/logcheck/ignore.d.paranoid/ssh:2:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: \(pam_[[:alnum:]]+\) session closed for user [^[:space:]]+$ /etc/logcheck/ignore.d.server/dovecot:14:^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot-auth: \(pam_unix\) check pass; user unknown$ /etc/logcheck/ignore.d.server/logcheck:1:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: \(pam_[[:alnum:]]+\) session opened for user [.[:alnum:]-]+ by (root|LOGIN)?\(uid=0\)$ /etc/logcheck/ignore.d.server/logcheck:2:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: \(pam_[[:alnum:]]+\) session closed for user [.[:alnum:]-]+$ /etc/logcheck/ignore.d.server/proftpd:1:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd: \(pam_unix\) session (opened|closed) for user [._[:alnum:]-]+( by \(uid=[0-9]+\))?$ /etc/logcheck/ignore.d.server/saslauthd:3:^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: \(pam_unix\) check pass; user unknown$ /etc/logcheck/ignore.d.server/ssh:19:^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_unix\) check pass; user unknown$ /etc/logcheck/ignore.d.server/ssh:20:^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_unix\) auth could not identify password for \[[-_.[:alnum:]]*\]$ /etc/logcheck/ignore.d.workstation/francine:1:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ francine: \(pam_unix\) session (opened|closed) for user [a-z]+( by LOGIN\(uid=0\))?$ /etc/logcheck/ignore.d.workstation/gdm:1:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gdm\[[0-9]+\]: [[:alnum:]]+: \(pam_securetty\) access denied: tty ':0' is not secure !$ /etc/logcheck/ignore.d.workstation/kdm:1:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kdm: :0\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$ /etc/logcheck/ignore.d.workstation/kdm:2:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kdm: :0\[[0-9]+\]: \(pam_[[:alnum:]]+\) session closed for user [[:alnum:]-]+$ /etc/logcheck/ignore.d.workstation/wdm:1:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wdm: \(pam_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$ /etc/logcheck/ignore.d.workstation/wdm:2:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wdm: \(pam_[[:alnum:]]+\) session closed for user [[:alnum:]-]+$ /etc/logcheck/ignore.d.workstation/xdm:1:^\w{3} [ :0-9]{11} [._[:alnum:]-]+[[:space:]]+: \(pam_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$ /etc/logcheck/ignore.d.workstation/xdm:2:^\w{3} [ :0-9]{11} [._[:alnum:]-]+[[:space:]]+: \(pam_[[:alnum:]]+\) session closed for user [[:alnum:]-]+$ /etc/logcheck/violations.d/su:1:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \(pam_[[:alnum:]]+\) .*$ /etc/logcheck/violations.d/sudo:1:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo\[[0-9]+\]: \(pam_[[:alnum:]]+\) .*$ /etc/logcheck/violations.ignore.d/logcheck-dovecot:1:^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot-auth: \(pam_unix\) authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=$ /etc/logcheck/violations.ignore.d/logcheck-passwd:1:^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ passwd\[[[:digit:]]+\]: \(pam_unix\) authentication failure; logname=[-._[:alnum:]]+ uid=[[:digit:]]+ euid=0 tty= ruser= rhost= [[:space:]]*user=[-._[:alnum:]]+$ /etc/logcheck/violations.ignore.d/logcheck-proftpd:1:^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd: \(pam_unix\) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=[-_.:[:alnum:]]+ user=[-_.[:alnum:]]+$ /etc/logcheck/violations.ignore.d/logcheck-saslauthd:3:^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: \(pam_unix\) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= [[:space:]]*user=[-._[:alnum:]]+$ /etc/logcheck/violations.ignore.d/logcheck-ssh:11:^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_unix\) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[^[:space:]]+([[:space:]]+user=[^[:space:]]+)?$ /etc/logcheck/violations.ignore.d/logcheck-su:2:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$ /etc/logcheck/violations.ignore.d/logcheck-su:3:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by [[:alnum:]-]+\(uid=[0-9]+\)$ /etc/logcheck/violations.ignore.d/logcheck-su:4:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \(pam_[[:alnum:]]+\) session closed for user [[:alnum:]-]+$ Thanks! -- Aaron M. Ucko, KB1CJC (amu at alum.mit.edu, ucko at debian.org) Finger amu at monk.mit.edu (NOT a valid e-mail address) for more info.